ACM Washington Update, Vol. 11.6 (July 3, 2007)

[1] Newsletter Highlights
[2] USACM Members Go to the Hill: Employment Eligibility Verification System
[3] USACM Members Go to the Hill Again: Social Security Numbers
[4] TGDC Final Meeting on Next VVSG Postponed
[5] New York Times Report on Military Overseas Voting
[6] Spyware Bill Would Define Zombies
[7] About USACM
[An archive of all previous editions of Washington Update is available athttp://www.acm.org/usacm/update/]

[1] NEWSLETTER HIGHLIGHTS

Below are highlights of the top stories from June. Two members of USACM testified before Congress on privacy, security and accuracy issues during seperate hearings, while e-voting legislation stalled and a federal e-voting standards body prepares to wrap up its work. There is more detail on each item below, as well as on our weblog at http://www.acm.org/usacm/weblog:

* Peter Neumann, Principal Scientist at SRI and USACM member, testified that Congressional propsals to mandate an electronic employment verification system created significant new security, privacy and accuracy concerns and urged Congress not to overreach with the technology.

* Annie Antón, Associate Professor of Software Engineering at North Carolina State University and USACM-EC member, testified that the spread and use of Social Security numbers for identification and authentication has contributed to ID theft and urged Congress to curb their use.

* As the Pentagon tries to create easier voting methods for members of the military stationed overseas, the same old security problems keep happening, according to a new analysis by a team of technical experts.

* The Technical Guidelines Development Committee postponed its final meeting to approve its recommendations for the next version of the Voluntary Voting System Guidelines.

* Senator Pryor (D-AK), introduced new anti-Spyware legislation that looks to combat the threat of “zombie” computers under the control of hackers.

During a Congressional hearing in June, Dr. Peter G. Neumann, Principal Scientist at SRI International and USACM member, warned policymakers about the significant risks of a proposed new electronic identity verification system being proposed as part of immigration reform efforts. The system, called the Employment Eligibility Verification System, or EEVS, is a central part of the immigration legislation recently debated in the Senate and defeated twice.

The EEVS would check the identity and work authorization of job applicants and employees by verifying an employee’s Social Security number and name against the Social Security Administration’s database. This system, which is currently a voluntary pilot program (known as the the Basic Pilot program), handled approximately 1.8 million employee queries in 2006. Testimony at the hearing indicated the system would need to handle on average 60 million queries per year if it was fully implemented nationwide.

The Social Security Administration (SSA) is one of two agencies that would handle the implementation and operation of the EEVS (the Department of Homeland Security (DHS) is the other). As the SSA has trouble making disability determinations in a timely fashion (currently disability applicants need to wait several months, if not years to resolve claims), the Members – on both sides of the aisle – were skeptical of the SSA’s capability to handle the increased burden. The government witnesses were optimistic, assuming the resources and personnel were available. However, the additional costs for the SSA to ramp up for the EEVS are considerable. The government witnesses predicted that it would take an additional $70 million per year for program management and $300-400 million for compliance staff.

One of the key issues discussed at the hearing was the accuracy rate of the underlying databases. The SSA and the General Accounting Office both testified that the current error rate in the Social Security number database was about four percent. If, as proposed, all 146 million employees would have to be verified against this database by their employers, the “nonconfirmation” rate would impact millions of current workers. They would then have to work with SSA and/or DHS to resolve discrepancies which would disrupt their workplaces.

The non-government witnesses spoke of the many different problems with the EEVS, both as currently deployed in the Basic Pilot and as it would be deployed under the proposed legislation. Dr. Neumann spoke to the challenges of large computer systems and their lackluster track record. Other witnesses spoke to the problems inherent in the current high error rates; the difficulty in correcting erroneous information, false positives or false negatives; the security and privacy concerns over a system intended to work over the Internet; and the potential for abuse of the system by employers and employees.

The Members present at the hearing clearly were skeptical of the claims that the system would work as advertised, but they seemed to think some system is inevitable. While the Senate immigration bill failed twice in June, we suspect that the EEVS will be revisited sometime in the future. It has already been incorporated into at least one House bill, as the central “security” component of that legislation.

Dr. Neumann testified on behalf of USACM, and his testimony can be read online at:

Also in June, Dr. Annie Antón, Associate Professor of Software Engineering at North Carolina State University and USACM-EC member, testified in front of the Social Security Subcommittee on a hearing looking into how better to protect the privacy and security of Social Security numbers. The subcommittee is mulling legislation to restrict how Social Security numbers are used and published. Several different proposals have been considered by Congress to restrict Social Security numbers, including HR 948 — The Social Security Number Protection Act, and S1178 — the Identity Theft Prevention Act.

The members of Congress, as well as many of the non-governmental witnesses, testified to the risks to privacy and security demonstrated by the widespread use of Social Security numbers (SSN). While acknowledging that there can be legitimate uses for the number, most of the witnesses suggested that many of the requests for an SSN do not serve any necessary purpose. The Chairman related his own story of being asked for a SSN when buying a refrigerator. Additionally, many witnesses argued that the ways in which the SSN is used do not effectively guarantee that the person providing the number is the person assigned to that number.

While some witnesses argued that the SSN was an necessary element for the credit reporting and financial industries to do their work, the general sentiment of the committee was that the SSN is being requested too often for purposes that either are unnecessary or could be handled through other means.

Dr. Anton testified on behalf of USACM. Her testimony is available online at:

The other witnesses at the hearing included members of Congress; government officials involved with social security number use; and representatives of privacy, financial services, data collection, and other groups dealing with the use of social security numbers in public records and business transactions. Their testimony can be found at:

The Technical Guidelines Development Committee (TGDC) was scheduled to hold its final meeting on the next version of the Voluntary Voting System Guidelines (VVSG) on July 3. The scheduled meeting (to be handled over teleconference) has been postponed due to “open issues related to the next VVSG that require further review.” The TGDC is supposed to submit their VVSG draft to the Election Assistance Commission (EAC) by July 31, so the meeting should take place sometime before then.

The VVSG must be approved by the EAC, so there may be changes between the final version and what is approved by the TGDC. There will be a public comment period following the EAC approval of the document, but the length of the VVSG (over 750 pages) suggests it would be better to review it sooner rather than later.

[5] NEW YORK TIMES REPORTS ON MILITARY OVERSEAS VOTING

An article in the June 13 New York Times, describes the current status of military voting overseas. In brief, the systems in place to help service members stationed overseas to vote remain “slow, confusing and plagued with security and privacy problems.” Meanwhile, Americans serving abroad continue to be frustrated with the inefficiency of voting while out of the country. The article can be read online here:

The challenges of a reliable system for overseas voting have been highlighted in the work of the SERVE project (Secure Electronic Registration and Voting Experiment), which involves some USACM members. They reviewed the Pentagon’s current plans and issued a highly critical report, which says in part, “We understand the importance of providing military and overseas U.S. citizens with the best possible access to absentee voting. But, we would do them no favor by providing them with a flagrantly insecure and inauditable method of voting. We believe it would be irresponsible to put our democracy at risk by allowing votes to be transmitted over the wide-open and insecure Internet.”

Senator Mark Pryor (D-AR) introduced S. 1625, the Counter Spy Act, earlier this month. The bill joins other legislation (H.R. 964 and H.R. 1525) that seek to reduce the harm of spyware. Both of the other bills have passed the House and are awaiting Senate consideration. Senator Pryor is no stranger to the issue – he spoke at our April briefing on botnets and was recently appointed co-chair of a Senate Democratic task force on high-tech issues.

The bill places most of the enforcement responsibility with the Federal Trade Commission, unless the computer transactions or computers involved relate to certain sectors, such as insurance, credit unions and those groups subject to the Federal Communications Act.

The bill is a bit more technical (legally and technologically) than the spyware bills already passed by the House (HR 964 and HR 1525). For instance, the bill defines certain things like zombies. To wit, in Section 3(1)(A):

“ZOMBIES. — Transmitting or relaying commercial electronic mail or a computer virus from a protected computer if the transmission or relaying is initiated by a person other than an authorized user and without the authorization of an authorized user;”

The bill has been referred to the Senate Commerce Committee. Given the other spyware legislation working through the legislative process, it’s hard to see exactly what a final bill may look like (or the likelihood of a final bill) by the end of this session. Congress has tried for a number of years to enact anti-spyware legislation, with little success so far.

[7] ABOUT USACM

USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). ACM is an educational and scientific society uniting the world’s computing educators, researchers and professionals to inspire dialogue, share resources and address the field’s challenges. ACM strengthens the profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking.